b'              U.S. Department of the Interior\n                  Office of Inspector General\n\n                                    ADVISORY LETTER\n\n\n         Department of the Interior Responses to\n   Review Guide for Planning and Assessment Activities\n    for Protecting Critical Non-Cyber Infrastructures\n\n\n\n\nNo. 2002-I-0012                       DECEMBER 2001\n\x0c\x0c                                                                                                   H-IN-OSS-003-01 R\n\n                             United States Department of the Interior\n\n                                                  Office of Inspector General\n                                                           Washington, D.C. 20240\n\n\n\n\n                                                                                                       December 21, 2001\n\n\n                                                 Advisory Letter\nMemorandum\n\nTo:           Assistant Secretary for Policy, Management and Budget\n\nFrom:         Elaine T. Weistock\n              Director, Quality Assurance and Audit Followup\n\nSubject:      Advisory Letter on Department of the Interior Responses to Review Guide for Planning\n              and Assessment Activities for Protecting Critical Non-Cyber Infrastructures\n              (No. 2002-I-0012)\n\nAs requested by the President\xe2\x80\x99s Council on Integrity and Efficiency (PCIE), we completed the\nPCIE\xe2\x80\x99s review guide, which was designed to obtain information concerning the critical physical\ninfrastructure and planning processes used by the Department of the Interior (DOI). We conducted\nthe review as part of a Governmentwide four-phase PCIE evaluation of Federal agency\nimplementation of Presidential Decision Directive 63 (PDD-63). The Directive called for a\nnational effort to ensure the security of the Nation\xe2\x80\x99s critical physical and cyber-based\ninfrastructures.1 The four phases of the review include the following:\n\n      # Agency planning and assessment activities for protecting critical cyber-based\n        infrastructures (Phase I).\n      # Agency implementation activities for protecting cyber-based infrastructures (Phase 2).\n      # Agency planning and assessment activities for protecting critical non-cyber infrastructures\n        (Phase 3).\n      # Agency implementation activities for protecting critical non-cyber infrastructures\n        (Phase 4).\n\nWe also evaluated DOI\xe2\x80\x99s implementation of the two recommendations contained in our Phase 1\nadvisory letter (No. 00-I-704), which was issued in September 2000. The results of the review\nwill be sent to the PCIE working group for inclusion in a Governmentwide report concerning the\nsecurity of Federal Critical Infrastructures.\n\n\n1\n Critical infrastructures are those physical and cyber-based systems essential to the minimum operations of the economy and\nGovernment, including, but not limited to, telecommunications, energy, banking and finance, transportation, and water systems and\nemergency services, both Governmental and private.\n\x0cBackground\nAdvances in information technology have resulted in increasing the automation and interlinking of\nphysical and cyber-based infrastructures and have created new vulnerabilities to intentional or\nunintentional infrastructure attacks from human error, weather, and equipment failure that could\nsignificantly harm the Nation\xe2\x80\x99s economy and military capability.\n\nPDD-63, signed on May 22, 1998, ordered the strengthening of the Nation\xe2\x80\x99s defense against\nterrorist acts, weapons of mass destruction, and assaults on critical infrastructures that would\ndiminish the ability of the Government to protect the national security and ensure general public\nhealth and safety; the state and local governments to maintain order and deliver minimum essential\npublic services; and the private sector to ensure the orderly functioning of the economy and the\ndelivery of essential telecommunications, energy, financial, and transportation services. PDD-63\ndirects the Government to eliminate any significant vulnerability to both physical and cyber attacks\non its critical infrastructures by May 22, 2003.\n\nDOI\xe2\x80\x99s Critical Infrastructure Protection Plan (CIPP) identified Hoover Dam, Shasta Dam, Grand\nCoulee Dam, the Main Interior Building, and the Bureau of Reclamation\xe2\x80\x99s Supervisory Control and\nData Acquisition computer system supporting dam operations as national critical infrastructures.\n\nResults of Review\nBased on its responses to the review guide, DOI has identified its critical assets, completed its\ninitial vulnerability assessments, and resubmitted its CIPP to the Critical Infrastructure Assurance\nOffice for review by an Expert Review Team (ERT). Although PDD-63 did not require DOI to\nnotify the Office of Inspector General\xe2\x80\x99s (OIG) criminal investigations office of physical\ninfrastructure attacks (see review step A19.e in Appendix 1), we consider it appropriate for DOI\nto notify the OIG when attacks on critical physical infrastructure have occurred. Also, DOI has\ntaken action to incorporate the ERT\xe2\x80\x99s previously suggested improvements and to implement the\ntwo recommendations contained in our Phase I advisory letter. The two recommendations\npertained to the establishment and implementation of a requirement to document the periodic threat\nreview process and the resubmission of the CIPP to the ERT for approval.\n\nThe results of our review of DOI\xe2\x80\x99s critical physical infrastructure protection planning efforts under\nPhase 3 and the review steps that were developed by the PCIE working group are detailed in\nAppendix 1.\n\nRecommendation\nWe recommend that DOI\xe2\x80\x99s Critical Infrastructure Assurance Officer (CIAO) establish a policy\nrequiring that the OIG be notified when attacks on DOI\xe2\x80\x99s critical physical infrastructure assets\noccur.\n\n\n\n\n                                                 2\n\x0cAssistant Secretary for Policy, Management, and Budget Response\nand OIG Reply\nIn an August 14, 2001, response (Appendix 2) to the draft report, the Director, Office of Managing\nRisk and Public Safety (DOI\xe2\x80\x99s CIAO), concurred \xe2\x80\x9cwith the spirit of the recommendation that the\nOIG be notified when attacks on DOI\xe2\x80\x99s critical physical infrastructure assets occur.\xe2\x80\x9d The\nresponse further stated that the \xe2\x80\x9cpolicy can be effective immediately.\xe2\x80\x9d The policy, however, was\nnot prepared by the date we issued this final report. Based on the response, we consider the\nrecommendation resolved and we are requesting additional information (Appendix 3).\n\nIn accordance with the Departmental Manual (360 DM 5.3), please provide us with your written\nresponse by January 31, 2002, regarding the target date for issuing a policy that requires OIG\nnotification when attacks occur on DOI\xe2\x80\x99s critical physical infrastructure assets.\n\nThe legislation, as amended, creating the OIG, requires semiannual reporting to Congress on all\naudit reports issued, actions taken to implement audit recommendations, and identification of each\nsignificant recommendation on which corrective action has not been taken.\n\nThis advisory letter will be listed in our semiannual report to the Congress, as required by Section\n5(a) of the Inspector General Act (5 U.S.C. app.3).\n\n\n\n\n                                                  3\n\x0c                                                                                                                    Appendix 1\n                                                                                                                   Page 1 of 13\n\n                                                      SCHEDULE OF REVIEW RESULTS\n\n                                                                         Estimated    Estimated Estimate is\n                                                                          Date of      Cost of   in Agency\n          Review Step                      Yes No N/A     Cause   Effect Resolution   Resolution CIP Budget   Recommendation\nA.1 Has agency completed its               X\nCritical Infrastructure Protection Plan\n(CIPP)?\nA.2 If the agency does not plan to                X\ncomplete a CIPP, is it because it is\nnot a Phase I/II agency subject to\nPresidential Decision Directive (PDD)\n63 or among the agencies listed in the\nCritical Infrastructure Assurance\nOfficer\xe2\x80\x99s (CIAO) Project Matrix?\nA.3 If the answer to question A.2 is              X\nyes, then identify the agency\xe2\x80\x99s physical\nassets that may be subject to PDD-\n63. Does agency management agree\nthat any of the assets should be\nsubject to PDD-63?\nA.4 For agencies that have prepared        X\na CIPP, did the Critical Infrastructure\nCoordination Group sponsor the\nrequired "expert review process" for\nthe CIPP? If an Expert Review Team\n(ERT) review was not performed,\nthen determine the "cause" and\ncontinue with the remaining steps.\n\n\n\n\n                                                                  4\n\x0c                                                                                                                                         Appendix 1\n                                                                                                                                        Page 2 of 13\n\n                                                                                              Estimated    Estimated Estimate is\n                                                                                               Date of      Cost of   in Agency\n           Review Step                      Yes No N/A             Cause               Effect Resolution   Resolution CIP Budget   Recommendation\nA.5 If the Critical Infrastructure          X\nCoordination Group completed the\nexpert review and found the CIPP\ndeficient, has the agency taken\nadequate remedial action(s)?\nA.6 Does the CIPP require the               X\nappointment of a CIAO who will have\noverall responsibility for protecting the\nagency\xe2\x80\x99s critical infrastructure?\nA.7 Has the agency appointed a              X\nCIAO?\nA.8 Does the CIPP require the               X\nagency to identify its physical Mission\nEssential Infrastructure (MEI)?\nA.9 If the answer to question A.8 is            X        DOI does not lease critical\nyes, does the identification of assets                   physical assets.\ninclude leased assets from the public\nor private sector?\nA.10 Does the CIPP identify a               X\nmilestone for identifying its physical\nMEI?\nA.11 Does the agency CIPP require           X\nan evaluation of new assets to\ndetermine whether they should be\nincluded in its MEI?\n\n\n\n\n                                                                                       5\n\x0c                                                                                                                 Appendix 1\n                                                                                                                Page 3 of 13\n\n                                                                      Estimated    Estimated Estimate is\n                                                                       Date of      Cost of   in Agency\n          Review Step                     Yes No N/A   Cause   Effect Resolution   Resolution CIP Budget   Recommendation\nA.12 Does the CIPP require the            X\nagency to perform vulnerability\nassessments of its physical MEI?\nA.13 Does the CIPP require periodic       X\nupdates of the assessments?\nA.14 Does the CIPP identify               X\nmilestones for completing the\nvulnerability assessments?\nA.15 Does the CIPP require risk           X\nmitigation relative to potential damage\nstemming from each vulnerability?\nA.16 Does the CIPP provide for            X\nperiodic testing and re-evaluation of\nrisk mitigation steps (policies,\nprocedures, and controls) by agency\nmanagement?\nA.17 Does the CIPP provide a              X\nmilestone for taking steps to mitigate\nrisks?\nA.18 Does the CIPP require                X\nestablishment of an emergency\nmanagement program?\n\n\n\n\n                                                               6\n\x0c                                                                                                                                                Appendix 1\n                                                                                                                                               Page 4 of 13\n\n                                                                                               Estimated    Estimated Estimate is\n                                                                                                Date of      Cost of   in Agency\n          Review Step                      Yes No N/A             Cause                 Effect Resolution   Resolution CIP Budget    Recommendation\nA.19.a If the answer to question           X\nA.18 is yes, does the CIPP specify\nthat the emergency management\nprogram include the following:\n    Incorporation of indications\n    and warnings?\nA19.b Incident collection, reporting,      X\nand analysis?\nA19.c Response and continuity of           X\noperation plans?\nA19.d A system for responding to           X\nsignificant infrastructure attacks while\nthe attacks are under way, with the\ngoal of isolating and minimizing\ndamage?\nA19.e Notification to OIG criminal             X        DOI has existing linkages and                                               Establish a policy requiring\ninvestigators of infrastructure attacks?                close working relationships                                                 that the Office of Inspector\n                                                        with Federal, state and local                                               General be notified when\n                                                        law enforcement agencies and                                                attacks occur on DOI\xe2\x80\x99s\n                                                        intelligence sources.                                                       critical physical\n                                                                                                                                    infrastructure assets.\n\n\nA19.f Criteria for determining if an       X\nincident should be reported to the\nNational Infrastructure Protection\nCenter (NIPC) or Federal Computer\nIncident Response Capability\n(FedCIRC)?\n\n\n                                                                                        7\n\x0c                                                                                                               Appendix 1\n                                                                                                              Page 5 of 13\n\n                                                                    Estimated    Estimated Estimate is\n                                                                     Date of      Cost of   in Agency\n          Review Step                   Yes No N/A   Cause   Effect Resolution   Resolution CIP Budget   Recommendation\nA19.g Procedures for reporting a        X\ncomputer security- or infrastructure-\nrelated incident to the NIPC?\nA.20 Does the CIPP require              X\nestablishment of a system for quickly\nreconstituting minimum required\ncapabilities following a successful\ninfrastructure attack?\nA.21 Does the CIPP identify a           X\nmilestone for establishing the\nemergency management program?\nA.22 Does the CIPP require a            X\nreview of existing policies and\nprocedures to determine whether the\nagency should revise them to reflect\nPDD-63 requirements?\nA.23 Does the CIPP identify a           X\nmilestone for reviewing existing\npolicies and procedures?\n\n\n\n\n                                                             8\n\x0c                                                                                                                                              Appendix 1\n                                                                                                                                             Page 6 of 13\n\n                                                                                                   Estimated    Estimated Estimate is\n                                                                                                    Date of      Cost of   in Agency\n           Review Step                      Yes No N/A              Cause                   Effect Resolution   Resolution CIP Budget   Recommendation\nA.24 Does the CIPP require the                  X        DOI\xe2\x80\x99s CIPP does not require\nagency to incorporate its CIP                            the agency to include CIP\nfunctions into its strategic planning and                functions in its strategic plan.\nperformance measurement                                  This is because only certain\nframeworks?                                              assets of one (the Bureau of\n                                                         Reclamation) of the eight\n                                                         bureaus and the Main Interior\n                                                         Building are considered\n                                                         critical infrastructure. These\n                                                         assets constitute a small\n                                                         portion of DOI\xe2\x80\x99s overall\n                                                         infrastructure. DOI\xe2\x80\x99s strategic\n                                                         plan concentrates on DOI\xe2\x80\x99s\n                                                         major programmatic goals,\n                                                         such as protecting the\n                                                         environment and preserving\n                                                         natural and cultural resources.\n\n\nA.25 Does the CIPP identify a                   X        See response to question\nmilestone for incorporating its critical                 A.24.\ninfrastructure protection functions into\nits strategic planning and performance\nmeasurement frameworks?\n\n\n\n\n                                                                                            9\n\x0c                                                                                                                Appendix 1\n                                                                                                               Page 7 of 13\n\n                                                                     Estimated    Estimated Estimate is\n                                                                      Date of      Cost of   in Agency\n          Review Step                    Yes No N/A   Cause   Effect Resolution   Resolution CIP Budget   Recommendation\nA.26 Does the CIPP require               X\nagencies to identify resource and\norganizational requirements for\nimplementing PDD-63?\nA.27 Does the CIPP identify a            X\nmilestone for identifying resource and\norganizational requirements for\nimplementing PDD-63?\nA.28 Does the CIPP require the           X\nagency to establish a program to\nensure that it has the personnel and\nskills necessary to implement a sound\ninfrastructure protection program?\nA.29 Does the CIPP identify a            X\nmilestone for establishing a program\nthat would ensure that the agency has\nthe personnel and skills necessary to\nimplement a sound infrastructure\nprotection program?\nA.30 Does the CIPP require the           X\nagency to establish effective CIP\ncoordination with other applicable\nentities (foreign, state, and local\ngovernments and industry)?\n\n\n\n\n                                                              10\n\x0c                                                                                                                  Appendix 1\n                                                                                                                 Page 8 of 13\n\n                                                                       Estimated    Estimated Estimate is\n                                                                        Date of      Cost of   in Agency\n           Review Step                     Yes No N/A   Cause   Effect Resolution   Resolution CIP Budget   Recommendation\nA.31 Does the CIPP identify a              X\nmilestone for establishing effective\nCIP coordination with other\napplicable entities (foreign, state, and\nlocal governments and industry)?\nA.32 Do the agency\xe2\x80\x99s plans for the         X\ncontinuous periodic review of its\nthreat environment appear adequate,\nand is the agency complying with\nthese plans?\n\nIdentification of Critical Assets\n\nB.1 Has the agency identified its          X\nphysical (non-cyber-based) MEI?\nB.1a Does the physical MEI include         X\nstaff and management, such as\nsecurity management and executives,\nneeded to plan, organize, acquire,\ndeliver, support, and monitor mission-\nrelated services, information systems,\nand facilities)?\nB.1.b Does the physical MEI include        X\nfacilities (all facilities required to\nsupport the core processes, including\nthese support information technology\nresources)?\n\n\n\n\n                                                                11\n\x0c                                                                                                                                           Appendix 1\n                                                                                                                                          Page 9 of 13\n\n                                                                                                Estimated    Estimated Estimate is\n                                                                                                 Date of      Cost of   in Agency\n           Review Step                      Yes No N/A             Cause                 Effect Resolution   Resolution CIP Budget   Recommendation\nB.2.a Evaluate the adequacy of the          X\nagency\xe2\x80\x99s\xe2\x80\x99 efforts to identify MEI and\nMEI interdependencies with\napplicable Federal agencies, state and\nlocal government activities, and/or\nindustry. Has the agency identified\ncritical, physical assets consistent with\nthe criteria in footnote 1 of the Phase\nIII review guide?\nB.2.b Has the agency identified             X\ninterdependencies for its critical\nphysical assets?\nB.2.c Did the agency use the CIAO               X        The critical physical\ninfrastructure asset evaluation survey                   infrastructure was identified\nto identify its MEI assets?                              and CIPP was prepared in\n                                                         June 1999, which was before\n                                                         the effective date of the\n                                                         criteria (January 2000).\n\n\n\n\n                                                                                         12\n\x0c                                                                                                                                          Appendix 1\n                                                                                                                                        Page 10 of 13\n\n                                                                                               Estimated    Estimated Estimate is\n                                                                                                Date of      Cost of   in Agency\n          Review Step                     Yes No N/A             Cause                  Effect Resolution   Resolution CIP Budget   Recommendation\nB.2.d Did the asset identification            X        The asset identification\nprocess include a determination of the                 process included a\nestimated replacement cost, planned                    determination of the potential\nlife cycle, and potential impact to the                impact of assets that are\nagency if the asset is rendered                        rendered unusable. DOI\nunusable?                                              officials said, however, that\n                                                       they did not consider it\n                                                       necessary to estimate the\n                                                       replacement cost and planned\n                                                       life cycle of assets that were\n                                                       rendered unusable.\nB.2.e Has the agency established          X\nmilestones for identifying and\nreviewing its MEI?\nB.2.f Is the agency meeting its           X\nmilestones?\n\nVulnerability Assessments\n\nC.1 Has the agency performed and          X\ndocumented an initial vulnerability\nassessment and developed\nremediation plans for its MEI?\n\n\n\n\n                                                                                        13\n\x0c                                                                                                                   Appendix 1\n                                                                                                                 Page 11 of 13\n\n                                                                        Estimated    Estimated Estimate is\n                                                                         Date of      Cost of   in Agency\n           Review Step                      Yes No N/A   Cause   Effect Resolution   Resolution CIP Budget   Recommendation\nC.2 Did the vulnerability assessments       X\naddress the threat type and magnitude\nof the threat, the source of the threats,\nexisting protection measures, the\nprobability of occurrence, damage\nthat could result from a successful\nattack, and the likelihood of success if\nsuch an attack occurred?\nC.3 Did the remediation plans               X\naddress the vulnerabilities found\nduring the assessment?\nC.4 Has the agency determined the           X\nlevel of protection currently in place\nfor its MEI?\nC.5 Has the agency identified the           X\nactions that must be taken before it\ncan achieve a reasonable level of\nprotection for its MEI?\nC.6 If your answer to number 5 is           X\nyes, then has the agency developed a\nrelated implementation plan and\nmechanism to monitor such\nimplementation?\n\n\n\n\n                                                                 14\n\x0c                                                                                                               Appendix 1\n                                                                                                             Page 12 of 13\n\n                                                                    Estimated    Estimated Estimate is\n                                                                     Date of      Cost of   in Agency\n          Review Step                   Yes No N/A   Cause   Effect Resolution   Resolution CIP Budget   Recommendation\nC.7 Has the agency delegated            X\nresponsibility for vulnerability\nassessments to the agency CIO or\nCIAO?\nC.8 Has the agency adopted a multi-     X\nyear funding plan that addresses the\nidentified threats?\nC.9 Has the agency reflected the cost   X\nof implementing a multi-year\nvulnerability remediation plan in its\nbudget submissions to OMB?\nC.10 Did the vulnerability              X\nassessments query national threat\nguidance for international, domestic,\nand state-sponsored\nterrorism/information warfare (e.g.,\nfrom the DoD, FBI, NSA, and other\nFederal and state agencies)?\nC.11 Has the agency prioritized the     X\nthreats according to their relative\nimportance?\n\n\n\n\n                                                             15\n\x0c                                                                                                                   Appendix 1\n                                                                                                                 Page 13 of 13\n\n                                                                        Estimated    Estimated Estimate is\n                                                                         Date of      Cost of   in Agency\n           Review Step                      Yes No N/A   Cause   Effect Resolution   Resolution CIP Budget   Recommendation\nC.12 Has the agency assessed the            X\nvulnerability of its MEI to failures that\ncould result from interdependencies\nwith applicable Federal agency and\nstate and local government activities\nand private sector providers of\ntelecommunications, electrical power,\nand other infrastructure services?\nC.13 Do the processes used to               X\nidentify and reflect new threats to the\nagency\xe2\x80\x99s MEI appear adequate?\nC.14 Do the results of the                  X\nvulnerability assessments necessitate\nrevisions to agency policies that\ngovern the management and\nprotection of agency MEI?\nC.15 Did the results of the ERT             X\ncoincide with answers derived from\nquestions A.1 through C.14?\n\n\n\n\n                                                                 16\n\x0c     APPENDIX 2\n\n\n\n\n17\n\x0c                                                                         APPENDIX 3\n\n\n       STATUS OF ADVISORY LETTER RECOMMENDATION\n\n\nRecommendation           Status                        Action Required\n\n\n      1          Management concurs;       Provide a target date for issuance of a\n                 additional information    policy on notifying OIG when attacks\n                 needed.                   occur on DOI\xe2\x80\x99s critical physical\n                                           infrastructure assets\n\n\n\n\n                                      18\n\x0c\x0cMission\nThe mission of the Office of Inspector General (OIG) is to\npromote excellence in the programs, operations, and management\nof the Department of the Interior (DOI). We accomplish our\nmission in part by objectively and independently assessing major\nissues and risks that directly impact, or could impact, the DOI\xe2\x80\x99s\nability to carry out its programs and operations and by timely\nadvising the Secretary, bureau officials, and the Congress of\nactions that should be taken to correct any problems or\ndeficiencies. In that respect, the value of our services is linked to\nidentifying and focusing on the most important issues facing DOI.\n\n\nHow to Report Fraud, Waste, and Abuse\nFraud, waste, and abuse in Government are the concern of\neveryone - Office of Inspector General staff, Departmental\nemployees, and the general public. We actively solicit allegations\nof any inefficient and wasteful practices, fraud, and abuse related\nto Departmental or insular area programs and operations. You can\nreport allegations to us by:\n\nMail:          U.S. Department of the Interior\n               Office of Inspector General\n               Mail Stop 5341-MIB\n               1849 C Street, NW\n               Washington, DC 20240\n\nPhone:         24-Hour Toll Free             800-424-5081\n\n               Washington Metro Area         202-208-5300\n               Hearing Impaired              202-208-2420\n               Fax                           202-208-6023\n\n               Caribbean Region              703-487-8058\n               Northern Pacific Region       671-647-6060\n\nInternet:      www.oig.doi.gov/hotline_form.html\n\x0c'